ProjectsAndPrograms School Management System Unauthenticated File Upload Vulnerability Leading to Remote Code Execution

A vulnerability allowing unauthenticated arbitrary file uploads has been identified in the ProjectsAndPrograms School Management System, specifically in versions prior to the commit 6b6fae5426044f89c08d0dd101c7fa71f9042a59. The issue resides in the uploadNotes.php file, where the 'file' parameter can be manipulated to upload malicious PHP scripts. These scripts are executed on the server with the same privileges as the web server user, leading to remote code execution.

Impact

Exploitation of this vulnerability allows for remote code execution on the server, with the executed code running under the web server user's privileges. This could lead to a complete compromise of the server, including access to the application database and any sensitive information it contains, such as personal data of students and staff, academic records, and system credentials. Additionally, the vulnerability could be used to disrupt services, modify or delete website content, or as a foothold for further network attacks.

Reproduction

To reproduce this vulnerability, send a POST request to the /assets/uploadNotes.php endpoint without any authentication. Include the 'file' parameter in the request, attaching a PHP file that contains malicious code, such as a web shell. The server will save the uploaded file in the publicly accessible /notesUploads/ directory, where it can be executed via HTTP. Once the file is executed, commands can be passed through the 'pass' parameter to execute arbitrary system commands on the server.

Remediation

It is recommended to implement access controls to restrict the uploadNotes.php endpoint to authenticated users only. Additionally, uploaded files should be validated to allow only safe file types, checked using MIME type verification, and renamed to prevent direct execution. Finally, uploaded files should be stored outside the web root or the web server should be configured to deny execution in the upload directory.